Firewall Wizards mailing list archives

Re: Quote cybersecurity unquote

From: David Lang <david () lang hm>
Date: Wed, 6 Nov 2013 20:52:21 -0800 (PST)

On Wed, 6 Nov 2013, Marcin Antkiewicz wrote:

trying. If they can't do system administration or system operations,

they're going to step away from the plate and let Amazon or Google or
whoever do it. Overall, this is probably for the best.


unfortunantly you are misinterpreting what they are leaving up to Amazon
and Google.

They aren't outsourceing the system administration, all they are
outsourcing is the hardware administration.


[..]

In many ways, much of what's going on in cloud computing is a step
backwards for security. While cloud computing can make doing upgrades
easier for good admins, it also makes it easier to keep running old
software without patching it. Look at how VMWare is pushing their products
for the desktop by advertizing that people will be able to keep running
Windows XP forever.



Hold on. There are multiple trends in security here that you lump into the
same bag:
- "Cloud" describes little more than a billing model (subscription O&M),
and a form of provisioning (the "elasticity"), and some business glue.
Amazon sells you a slice of a hypervisor, Google used to sell managed
python execution containers, SalesForce lets you build a CRM-related
applications as plugins into their data and services. Save for the Amazon's
case, who needs sysadmins? If you have 3k Amazon instances, but all of them
run the same code, you need a deployment specialist that is more of a
programmer than a sysadmin. No one will fix a node, there is no capacity
planning, log rotation, account provisioning - those are fixed at much
higher scale, or done via APIs. You sysadmin here is called an Architect,
and knows Chef/Puppet/etc like you knew /etc.

the problem is that your 3K systems may all be running the same vulnerable code.You need a sysadmin to create and maintain your template that you then runeverywhere.

And you do need these systems to log, and if you have logs, you need to worryabout rotation, retention, etc.

Far too many people make the exact same mistake in thinking that since it"Cloud" you no longer need all the infrastructure tools to manage things. Thetools do change (you don't upgrade 3K boxes, you upgrade the image and do arolling shutdown/startup with new image of the 3K boxes), but you still needtools and people who understand what's happening.

you even still need people with the ability to troubleshoot the lower levelsystems and communications, just throwing things in the cloud doesn't solve allscaleing issues (just look at healthcare.gov for a very public proof of that)

- Why bother with Amazon? Same hardware in the corporate data center, and
people you can actually talk to? Let's see - I have an app, we want to have
a load balancer, 5 front caches and 2 backed DBs provisioned in 3 days. Oh,
your lead on hardware is 2 weeks, and we did not do this architecture
before? DNS issues? Ah, the cabling you guys did not do for 3 weeks... IT
is either a commodity, and begins to see competition on price with other
options, or it's a well run organization that is fiercely competent and
pragmatic. I see much more of the first kind.

and if you change your management to be "Cloud like" you can get even more gainsby using bare metal systems that you netboot with a cloud-like management systemand avoid the hypervisor overhead.

-  I have 35 sites where upgrade from XP to Win7 costs $0.5 mil a pop.
Those are not offices, there is no added functionality we will get from Win
7. No, I were unable to plan ahead. We saw the wall, and when we tried to
pull brakes, it turned out that we run drum brakes from the 20's on bicycle
width tires - no braking power :-) What now? Mitigation. I gave Bromium a
call, they are more than happy to help, more work will happen. We will fix
the issue in 2-3 years, when the money will be spent on an lifecycle
replacement and, for the same money, we will get very important new
features (the XPs are fronts to big machinery that comes integrated). Yeah,
I know. I just work here... We will run XP, in VMs and on hardware, for a
decade or more.

Given the historic vulnerabilities, it is a responsible thing to do to run aclosed source OS for a decade or more after the vendor stops patching it?

I know it's going to be done, and the businesses see it as the most costeffective thing to do. But that's not a good **Security** thing to do. Now ifyou can be sure that none of these systems are network accessable, you may havemore of an argument, but look at the industrial control systems and the securitymess around them before you state that you will be safe.

- Security is maturing. Whether I like how it goes, the NIST standard work,
and the adoption talk surrounding it begins to smell like a talk on best
practices. Never mind all of the folks who will have to adopt it. I talk to
lawyers and insurers, they slowly are taking notice, and the poor security
volk will be hit with slow professionalization of the occupation. The
network security of the late 90s is no longer in demand. Openflow demands
serious networking skills and some programming skills. DevOps can run
immensely secure infrastructures, because their service model requires very
tight change control, minimalist capabilities on production nodes and all
admin actions are scripted. There is very little chance for a non-standard
configuration errors, or unnoticed config errors. Yes, mono-cultures are
bad. Yes, mistakes still happen. It's a much better model than state of an
average old school (10 years ago :-) Unix DMZ. Sorry, good security people
are in huge demand, expensive, and they will not work and behave as they
did 10 years ago.

We are talking apples and oranges here. you are talking DevOps, which works whenyour developers are half programmers, half sysadmins, and half security (andyes, needing 3/2 does mean that there are very, very few people who are reallygood at it)

Marcus was talking about how Cloud allowed people to outsource the sysadminwork to the hosting providers.

turning everyone into partial sysadmins is the exact opposite of outsourcing itto a few companies.

- Marcus is right. Cloud raises the bar or, more likely, allows cluefull
folks to run faster than the pack. Drop code on a VM (different spend
structure), use providers host security offers, integrated Nessus scans,
cheap 24/7 alerting, CloudFlare for WAF/DDoS/CDN, some DNS provider, and
you have a formidable setup that can be administered part time. Is it
better than the traditional way? No, but a lot of people can't afford the
typical solution and finding good people who can build it on a budget is
hard. The outcome is very different, but it took the market by a storm.

I absolutly agree that the current availability of rapid hosting options allowscluefull people to outrun others (and I've got put my money and time where mymouth is as well, making use of this infrastructure)

But what I am saying is that the ability for cluefull people to do things rightand outrun others doesn't translate into fixing the security of the non-clueful


David Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Quote cybersecurity unquote Stephen P. Berry (Nov 01)
- Message not available
  - Re: Quote cybersecurity unquote Paul D. Robertson (Nov 05)
    - Re: Quote cybersecurity unquote mjr (Nov 05)
    - Re: Quote cybersecurity unquote David Lang (Nov 06)
    - Re: Quote cybersecurity unquote Marcin Antkiewicz (Nov 06)
    - Re: Quote cybersecurity unquote David Lang (Nov 07)
- Re: Quote cybersecurity unquote Anton Chuvakin (Nov 10)